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DETAILED ACTION 

Election/Restrictions 

1 . Restriction to one of the following inventions is required under 35 U.S.C. 121 : 

I. Claims 1 -21 , drawn to controlling access to computer system devices, 
classified in class 713, subclass 167. 

II. Claims 22-28, drawn to restricting the creation of special device files, 
classified in class 713, subclass 201. 

2. The inventions are distinct, each from the other because: 

Inventions group 1 and group 2 are related as combination and subcombination. 
Inventions in this relationship are distinct if it can be shown that (1) the combination as 
claimed does not require the particulars of the subcombination as claimed for 
patentability, and (2) that the subcombination has utility by itself or in other 
combinations (MPEP § 806.05(c)). In the instant case, the combination as claimed 
does not require the particulars of the subcombination as claimed because the 
particulars of how the special device files are created are not recited in the combination. 
The subcombination has separate utility such as restricting the creation of a special 
device file regardless of whether an access request is attempted. 

3. Because these inventions are distinct for the reasons given above and have 
acquired a separate status in the art as shown by their different classification, restriction 
for examination purposes as indicated is proper. 
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4. Because these inventions are distinct for the reasons given above and have 
acquired a separate status in the art because of their recognized divergent subject 
matter, restriction for examination purposes as indicated is proper. 

5. Because these inventions are distinct for the reasons given above and the 
search required for Group 1 is not required for Group 2, restriction for examination 
purposes as indicated is proper. 

6. During a telephone conversation with WALKER, DARCELL on December 8, 
2004, a provisional election was made with traverse to prosecute the invention of group 
1 , claims 1-21 . Affirmation of this election must be made by applicant in replying to this 
Office action. Claims 22-28 withdrawn from further consideration by the examiner, 37 
CFR 1.142(b), as being drawn to a non-elected invention. 

7. Claims 1-21 pending. 

Claim Rejections - 35 USC § 112 

8. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification siiali conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

9. Claim 1 recites the limitations "the file attributes", "the device file" and "the 
system device access attempt" in lines 3-4. There is insufficient antecedent basis for 
these limitations in the claim. 

Claim 4 recites the limitation "the protected object name of the database entry" in 
line 7. There is insufficient antecedent basis for this limitation in the claim. It is not 
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clear what the protected object name is referring to since a protected object name was 
not introduced previously. 

10. Claims 1-10 and 12-19 rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. Applicant uses the terms "device file" and 
"special device file" interchangeably without making a distinction between the two 
throughout the claims. For example, claim 1 , lines 3-4 state, "retrieving the file 
attributes for the device file used in the system device access attempt;" then claim 1 , 
lines 5-6 go on to state, "determining whether the resource that is making the access 
attempt is a special device file". It is not clear whether the "device file" of line 3 is the 
same as the "special device file" of lines 5 and 6. If it is assumed they are the same 
thing then the two elements of the claim are circular in nature. The first step retrieves 
the file attributes for the device file used in the system device access attempt, the next 
step determines whether the resource making the access attempt is a device file, but 
the first step already establishes the resource making the access attempt as a device 
file since its attributes are being retrieved. 

If the "device file" and "special device file" are not the same then applicant needs 
to clarify the distinction between the two. 
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1 1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

11-1. Claim 1 rejected under 35 U.S.C. 102(b) as being anticipated by Kenton et al. 
(Kenton), U.S Patent No. 5,479,612. 

As per claim 1 , Kenton discloses a method for controlling access to a computer 
system device comprising steps of: 

retrieving the file attributes for the device file used in the system device access 
attempt (column 3, lines 63-65; column 4, lines 16-24, column 4, lines 41-44); 

Kenton demonstrates retrieving file attributes for the device files by obtaining 
identification information about the device file. In addition, because it has been 
established that the identification information is being obtained from the device file being 
used in the system device access attempt, it has also been established that the 
resource making the access attempt is a device file thus encompassing the second 
element of this claim. 

determining whether the resource that is making the access attempt is a special 
device file (column 3, lines 63-65; column 4, lines 16-24, column 4, lines 41-44); 

As established above, the resource making the access attempt must be a special 
device file since the claim states that the file attributes will only be retrieved for a device 
file used on the system device access attempt. 
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Kenton demonstrates the functionality of a special device file, through a device 
driver. Device drivers, "act as the portal to the device and its underlying functionality 
(Background of Invention, paragraph 1, lines 17-18)." Thus, a device driver is a special 
device file and will be referred to as such for the remainder of this office action. 

searching a mapping database for device files that represent the system device 
that is the object of the access attempt and generating a device file entry list of all 
protected device files that represent said system device (column 4, lines 29-33; column 
5, 18-22); 

Kenton exhibits the functionality of a "mapping database" through the use of 
device identification information as the look up data to be compared to a list of devices 
supported by the operating system. The identification information is mapped to the 
device it represents. 

Kenton demonstrates the functionality of "protected device files" through the use 
of device files needing license keys in order to be accessed. Since access is denied if 
these licenses are not present, this protects the devices from being accessed by the 
user and are considered protected device files. 

generating an authorization decision for the access attempt to the system device 
based on the security policy that governs each device file in the device file entry list 
(column 5, lines 36-47). 

Unless applicant defines a more specific security policy, the one demonstrated 
by Kenton, based on the presence of driver licenses, qualifies as a security policy that 
generates an authorization decision for an access attempt. 
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As per claim 2, the rejection of claim 1 is incorporated, and further Kenton 
discloses before said searching step the step of terminating said access control method 
when the accessing resource is not a special device file (column 4, lines 34-40). 

As previously stated in claim 1 , the resource must be a device file making the 
access attempt to have the file attributes retrieved from it, thus, if it were not a device 
file the file attributes would not have been retrieved and the identification information 
needed in order to proceed to the next step of the access control method would not 
have been obtained. As a result the method would be terminated. 

As per claim 3, the rejection of claim 1 is incorporated, and further Kenton 
discloses after said searching step the step of terminating said access control method 
when said searching step did not find any database entries that had device 
specifications that match the device specifications of the device file making the access 
attempt (column 4, lines 30-40). 

Kenton's identification information embodies the functionality of applicant's 
device specification. 

As per claim 4, the rejection of claim 1 is incorporated, and further Kenton 
disclose said searching step comprising the steps of: 

retrieving an entry from the mapping database (column 4, lines 29-34); 

comparing the device specification of the device file making the access attempt 
to the device specification of the database entry (column 4, lines 29-34); and 

comparing the file name of the device file making the access attempt to the 
protected object name of the database entry (column 4, lines 29-34). 
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Kenton demonstrates the functionality of retrieving an entry from the list, i.e. 
mapping database, by virtue of the comparison step. In order to find and compare the 
correct peripheral device in the list, an entry in the list has already been retrieved in 
order to make the comparison since the entire list cannot be compared at the same 
time. Kenton shows the comparison of the immediate entry against each entry in the 
list. Each entry contains the device identification information and the device the 
identification information represents, thereby showing how this step compares both the 
specification of the device file and the object name. 

As per claim 5, the rejection of claim 4 is incorporated, and Kenton discloses a 
method further comprising after said file name comparison step the steps of: 

generating a device file entry list containing the database entry with the same file 
specification and file name as the device file making the access attempt (column 5, lines 
27-28); 

Kenton demonstrates the functionality of generating a device file entry list by 
writing to a log file. 

terminating said searching step (column 5, lines 46-47). 

As per claim 6, the rejection of claim 4 is incorporated, and Kenton discloses a 
method further comprising after said file name comparison step the steps of placing in a 
file entry list, a mapping database entry having the same file specification as, but 
different file name from the device file making the access attempt (column 5, lines 36- 
40). 



Application/Control Number: 09/843.069 Page 9 

Art Unit: 2132 

Kenton shows the functionality of the list the applicant mentions through a list of 
devices which all share similar attributes and are grouped together but lack a driver 
license which is another way in which the peripheral devices are identified and access is 
controlled, i.e. the device file name. 

As per claim 7, the rejection of claim 6 is incorporated, and further Kenton 
discloses a method comprising the steps of: 

determining whether there are more entries in the database (column 4, lines 33- 

36); 

retrieving the next mapping database entry for comparison with said device file 
making the access attempt, when more entries are found in the mapping database 
(column 4, lines 33-36); and 

returning to said device file comparison step (column 4, lines 33-36). 

In order to be assured that the a peripheral device is not included in the list, the 
search must include looping through the entire list entry by entry until no more entries 
remain. 

As per claim 8, the rejection of claim 2 is incorporated, and further Kenton 
discloses a method wherein said authorization decision step comprises the steps of: 

retrieving the current entry in the device file entry list (column 5, lines 18-22); 

In order to do the search, an fentry would have to be retrieved in order to 
proceed to the access decision step. 
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calling the access decision component to obtain an access decision for the 
access attempt to the system device based on the security policy that governs the 
current entry in the device file entry list (figure 2, item 216); 

determining whether decision component granted access (column 5, lines 46- 

47); 

The purpose of the access decision component is to decide whether or not to 
grant the resource access to the device, therefore this step is redundant since it is 
already incorporated into the access decision component. 

determining whether more entries are in this file entry list, if decision component 
granted access (column 5, lines 36-46); and 

updating current entry in said device file entry list and returning to said current 
entry retrieving step (column 5, lines 36-46). 

Kenton exhibits the functionality of looping from the step of retrieving the next 
entry in the file entry list and determining if there are more entries by having to add all of 
the values in the quantity fields for every valid installed key. In order to exhaust every 
valid installed key in the list, this step would have to loop through the entire list to add 
up each value, therefore, it would have to determine whether there are more entries and 
then return to the retrieval step if there were remaining items in the list. 

As per claim 9, the rejection of claim 8 is incorporated, and further Kenton 
discloses comprising after said decision determination step the step of denying the 
access attempt to the system device if the decision component of a device file entry 
denies access (item 216, figure 2, follow the "optional no" path). 
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As per claim 10, the rejection of claim 8 is incorporated, and further Kenton 
discloses a method comprising the step of allowing the access attempt to the system 
device if no more entries are in the file entry list (step 216, figure 2). 

As previously stated, step 216 exhausts the entire list of valid installed keys in 
order to find the sum of all entries. Once the sum is computed, there are no more 
entries in the list and regardless of the decision, both paths lead to the use of the 
device. 

As per claim 1 1 , Kenton discloses a method for controlling access to a computing 
system device being accessed through a device file, said access control being through 
an externally stored resource and comprising the steps of: 

monitoring the computing system for activities related to creating and accessing 
special device files that represent system devices (column 3, lines 25-30); 

Since device drivers are the communication line between the peripheral devices 
themselves and the operating system, the device drivers themselves monitor when an 
access attempt is being made. 

restricting the creation of special device files based on rules defined in the 
externally stored resource (column 4, lines 64-67); and 

restricting special device file accesses based on rules defined in the externally 
stored resource (column 5, lines 5-8). 

The special device file access is restricted based on the rules associated with the 
driver license. 
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As per claims 12-19, this is a product version of the claimed method discussed 
above in claims 1-11 wherein all claimed limitations have also been addressed and/or 
cited as set forth above. 

As per claim 20, Kenton discloses a computer connectable to a distributed 
computing system, which includes special device files containing information, related to 
corresponding system devices comprising: 

a processor (column 3, line 5; item 112, figure 1); 

a native operating system (column 3, lines 21-22; item 106, figure 1); 

application programs (column 3, lines 57-59); 

an externally stored authorization program overlaying said native operating 
system and augmenting the standard security controls of said native operating system 
(column 4, lines 41 -44); 

a mapping database within said external authorization program containing a 
system device to a protected object name entries for each protected file system object 
(column 4, lines 29-33); 
and 

a decision component within said authorization program for controlling access to 
special device files representing system devices (column 5, lines 15-22; column 6, lines 
52-53). 

As per claim 21, the rejection of claim 20 is incorporated, and Kenton discloses a 
computer comprising an authorization program for restricting the creation of special 
device files representing protected system devices (column 4, lines 64-67). 
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Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

U.S Patent 5,859,966 (Hayman et al.) utilizes security policies to control access 
to peripheral devices similar to the instant invention. 

U.S. Patent 5,113,442 (Moir) contains an access decision component and 
mapping database similar to that in the instant invention. 

U.S Patent 5,414,852 (Kramer et al) contains an entry list being formed from 
search results be ascertained from a mapping database. 

U.S. Patent 5,283,830 (Hinsley et al) utilizes a similar comparison step similar to 
the one used in the instant invention. 

U.S. Patent 6,1 12,263 (Futral) contains a similar mapping database and access 
control method as the instant invention. 

U.S. Patent 5,483,649 (Kuznetsov et al) monitors the device requests/access 
attempts in a similar way as the instant invention. 

U.S Patent 4,919,545 (Yu) contains the use of file attributes similar to how the 
instant invention uses them. 

Applied Operating System Concepts. First Edition established the way in which a 
device driver communicates with peripheral devices is similar to that described in the 
instant invention. 
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Operating System Concepts established that a device driver was similar to the 
special device file used in the instant invention. 

UNIX SYSTEM Administration Handbook established that a device driver was 
similar to the special device file used in the instant invention. 

"A Basic UNIX Tutorial: The UNIX File system" described how special files 
utilized file attributes similar to the instant invention. 

"Exactly What is a Driver" established that a device driver was similar to the 
special device file used in the instant invention. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kristin Derwich whose telephone number is 571-272- 
7958. The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 





